Commit | Line | Data |
---|---|---|
1da177e4 LT |
1 | # |
2 | # IP netfilter configuration | |
3 | # | |
4 | ||
5 | menu "IP: Netfilter Configuration" | |
6 | depends on INET && NETFILTER | |
7 | ||
9fb9cbb1 | 8 | config NF_CONNTRACK_IPV4 |
c9386cfd PM |
9 | tristate "IPv4 connection tracking support (required for NAT)" |
10 | depends on NF_CONNTRACK | |
9fb9cbb1 YK |
11 | ---help--- |
12 | Connection tracking keeps a record of what packets have passed | |
13 | through your machine, in order to figure out how they are related | |
14 | into connections. | |
15 | ||
16 | This is IPv4 support on Layer 3 independent connection tracking. | |
17 | Layer 3 independent connection tracking is experimental scheme | |
18 | which generalize ip_conntrack to support other layer 3 protocols. | |
19 | ||
20 | To compile it as a module, choose M here. If unsure, say N. | |
21 | ||
a999e683 PM |
22 | config NF_CONNTRACK_PROC_COMPAT |
23 | bool "proc/sysctl compatibility with old connection tracking" | |
0c4ca1bd | 24 | depends on NF_CONNTRACK_IPV4 |
a999e683 PM |
25 | default y |
26 | help | |
27 | This option enables /proc and sysctl compatibility with the old | |
28 | layer 3 dependant connection tracking. This is needed to keep | |
29 | old programs that have not been adapted to the new names working. | |
30 | ||
31 | If unsure, say Y. | |
32 | ||
1da177e4 | 33 | config IP_NF_QUEUE |
7af4cc3f | 34 | tristate "IP Userspace queueing via NETLINK (OBSOLETE)" |
1da177e4 LT |
35 | help |
36 | Netfilter has the ability to queue packets to user space: the | |
37 | netlink device can be used to access them using this driver. | |
38 | ||
7af4cc3f HW |
39 | This option enables the old IPv4-only "ip_queue" implementation |
40 | which has been obsoleted by the new "nfnetlink_queue" code (see | |
41 | CONFIG_NETFILTER_NETLINK_QUEUE). | |
42 | ||
1da177e4 LT |
43 | To compile it as a module, choose M here. If unsure, say N. |
44 | ||
45 | config IP_NF_IPTABLES | |
46 | tristate "IP tables support (required for filtering/masq/NAT)" | |
a3c941b0 | 47 | select NETFILTER_XTABLES |
1da177e4 LT |
48 | help |
49 | iptables is a general, extensible packet identification framework. | |
50 | The packet filtering and full NAT (masquerading, port forwarding, | |
51 | etc) subsystems now use this: say `Y' or `M' here if you want to use | |
52 | either of those. | |
53 | ||
54 | To compile it as a module, choose M here. If unsure, say N. | |
55 | ||
56 | # The matches. | |
1da177e4 LT |
57 | config IP_NF_MATCH_IPRANGE |
58 | tristate "IP range match support" | |
59 | depends on IP_NF_IPTABLES | |
60 | help | |
61 | This option makes possible to match IP addresses against IP address | |
62 | ranges. | |
63 | ||
64 | To compile it as a module, choose M here. If unsure, say N. | |
65 | ||
1da177e4 LT |
66 | config IP_NF_MATCH_TOS |
67 | tristate "TOS match support" | |
68 | depends on IP_NF_IPTABLES | |
69 | help | |
70 | TOS matching allows you to match packets based on the Type Of | |
71 | Service fields of the IP packet. | |
72 | ||
73 | To compile it as a module, choose M here. If unsure, say N. | |
74 | ||
75 | config IP_NF_MATCH_RECENT | |
76 | tristate "recent match support" | |
77 | depends on IP_NF_IPTABLES | |
78 | help | |
79 | This match is used for creating one or many lists of recently | |
80 | used addresses and then matching against that/those list(s). | |
81 | ||
82 | Short options are available by using 'iptables -m recent -h' | |
83 | Official Website: <http://snowman.net/projects/ipt_recent/> | |
84 | ||
85 | To compile it as a module, choose M here. If unsure, say N. | |
86 | ||
87 | config IP_NF_MATCH_ECN | |
88 | tristate "ECN match support" | |
89 | depends on IP_NF_IPTABLES | |
90 | help | |
91 | This option adds a `ECN' match, which allows you to match against | |
92 | the IPv4 and TCP header ECN fields. | |
93 | ||
94 | To compile it as a module, choose M here. If unsure, say N. | |
95 | ||
dc5ab2fa YK |
96 | config IP_NF_MATCH_AH |
97 | tristate "AH match support" | |
1da177e4 LT |
98 | depends on IP_NF_IPTABLES |
99 | help | |
dc5ab2fa YK |
100 | This match extension allows you to match a range of SPIs |
101 | inside AH header of IPSec packets. | |
1da177e4 LT |
102 | |
103 | To compile it as a module, choose M here. If unsure, say N. | |
104 | ||
1da177e4 LT |
105 | config IP_NF_MATCH_TTL |
106 | tristate "TTL match support" | |
107 | depends on IP_NF_IPTABLES | |
108 | help | |
109 | This adds CONFIG_IP_NF_MATCH_TTL option, which enabled the user | |
110 | to match packets by their TTL value. | |
111 | ||
112 | To compile it as a module, choose M here. If unsure, say N. | |
113 | ||
1da177e4 LT |
114 | config IP_NF_MATCH_OWNER |
115 | tristate "Owner match support" | |
116 | depends on IP_NF_IPTABLES | |
117 | help | |
118 | Packet owner matching allows you to match locally-generated packets | |
119 | based on who created them: the user, group, process or session. | |
120 | ||
121 | To compile it as a module, choose M here. If unsure, say N. | |
122 | ||
1da177e4 LT |
123 | config IP_NF_MATCH_ADDRTYPE |
124 | tristate 'address type match support' | |
125 | depends on IP_NF_IPTABLES | |
126 | help | |
127 | This option allows you to match what routing thinks of an address, | |
128 | eg. UNICAST, LOCAL, BROADCAST, ... | |
129 | ||
130 | If you want to compile it as a module, say M here and read | |
131 | <file:Documentation/modules.txt>. If unsure, say `N'. | |
132 | ||
1da177e4 LT |
133 | # `filter', generic and specific targets |
134 | config IP_NF_FILTER | |
135 | tristate "Packet filtering" | |
136 | depends on IP_NF_IPTABLES | |
137 | help | |
138 | Packet filtering defines a table `filter', which has a series of | |
139 | rules for simple packet filtering at local input, forwarding and | |
140 | local output. See the man page for iptables(8). | |
141 | ||
142 | To compile it as a module, choose M here. If unsure, say N. | |
143 | ||
144 | config IP_NF_TARGET_REJECT | |
145 | tristate "REJECT target support" | |
146 | depends on IP_NF_FILTER | |
147 | help | |
148 | The REJECT target allows a filtering rule to specify that an ICMP | |
149 | error should be issued in response to an incoming packet, rather | |
150 | than silently being dropped. | |
151 | ||
152 | To compile it as a module, choose M here. If unsure, say N. | |
153 | ||
154 | config IP_NF_TARGET_LOG | |
155 | tristate "LOG target support" | |
156 | depends on IP_NF_IPTABLES | |
157 | help | |
158 | This option adds a `LOG' target, which allows you to create rules in | |
159 | any iptables table which records the packet header to the syslog. | |
160 | ||
161 | To compile it as a module, choose M here. If unsure, say N. | |
162 | ||
163 | config IP_NF_TARGET_ULOG | |
44adf28f | 164 | tristate "ULOG target support" |
1da177e4 LT |
165 | depends on IP_NF_IPTABLES |
166 | ---help--- | |
f40863ce HW |
167 | |
168 | This option enables the old IPv4-only "ipt_ULOG" implementation | |
169 | which has been obsoleted by the new "nfnetlink_log" code (see | |
170 | CONFIG_NETFILTER_NETLINK_LOG). | |
171 | ||
1da177e4 LT |
172 | This option adds a `ULOG' target, which allows you to create rules in |
173 | any iptables table. The packet is passed to a userspace logging | |
174 | daemon using netlink multicast sockets; unlike the LOG target | |
175 | which can only be viewed through syslog. | |
176 | ||
44c09201 | 177 | The appropriate userspace logging daemon (ulogd) may be obtained from |
1da177e4 LT |
178 | <http://www.gnumonks.org/projects/ulogd/> |
179 | ||
180 | To compile it as a module, choose M here. If unsure, say N. | |
181 | ||
5b1158e9 JK |
182 | # NAT + specific targets: nf_conntrack |
183 | config NF_NAT | |
184 | tristate "Full NAT" | |
083e69e9 | 185 | depends on IP_NF_IPTABLES && NF_CONNTRACK_IPV4 |
5b1158e9 JK |
186 | help |
187 | The Full NAT option allows masquerading, port forwarding and other | |
188 | forms of full Network Address Port Translation. It is controlled by | |
189 | the `nat' table in iptables: see the man page for iptables(8). | |
190 | ||
191 | To compile it as a module, choose M here. If unsure, say N. | |
192 | ||
5b1158e9 JK |
193 | config NF_NAT_NEEDED |
194 | bool | |
195 | depends on NF_NAT | |
1da177e4 LT |
196 | default y |
197 | ||
198 | config IP_NF_TARGET_MASQUERADE | |
199 | tristate "MASQUERADE target support" | |
587aa641 | 200 | depends on NF_NAT |
1da177e4 LT |
201 | help |
202 | Masquerading is a special case of NAT: all outgoing connections are | |
203 | changed to seem to come from a particular interface's address, and | |
204 | if the interface goes down, those connections are lost. This is | |
205 | only useful for dialup accounts with dynamic IP address (ie. your IP | |
206 | address will be different on next dialup). | |
207 | ||
208 | To compile it as a module, choose M here. If unsure, say N. | |
209 | ||
210 | config IP_NF_TARGET_REDIRECT | |
211 | tristate "REDIRECT target support" | |
587aa641 | 212 | depends on NF_NAT |
1da177e4 LT |
213 | help |
214 | REDIRECT is a special case of NAT: all incoming connections are | |
215 | mapped onto the incoming interface's address, causing the packets to | |
216 | come to the local machine instead of passing through. This is | |
217 | useful for transparent proxies. | |
218 | ||
219 | To compile it as a module, choose M here. If unsure, say N. | |
220 | ||
221 | config IP_NF_TARGET_NETMAP | |
222 | tristate "NETMAP target support" | |
587aa641 | 223 | depends on NF_NAT |
1da177e4 LT |
224 | help |
225 | NETMAP is an implementation of static 1:1 NAT mapping of network | |
226 | addresses. It maps the network address part, while keeping the host | |
227 | address part intact. It is similar to Fast NAT, except that | |
228 | Netfilter's connection tracking doesn't work well with Fast NAT. | |
229 | ||
230 | To compile it as a module, choose M here. If unsure, say N. | |
231 | ||
232 | config IP_NF_TARGET_SAME | |
3569b621 | 233 | tristate "SAME target support (OBSOLETE)" |
587aa641 | 234 | depends on NF_NAT |
1da177e4 LT |
235 | help |
236 | This option adds a `SAME' target, which works like the standard SNAT | |
237 | target, but attempts to give clients the same IP for all connections. | |
238 | ||
239 | To compile it as a module, choose M here. If unsure, say N. | |
240 | ||
807467c2 PM |
241 | config NF_NAT_SNMP_BASIC |
242 | tristate "Basic SNMP-ALG support (EXPERIMENTAL)" | |
243 | depends on EXPERIMENTAL && NF_NAT | |
244 | ---help--- | |
245 | ||
246 | This module implements an Application Layer Gateway (ALG) for | |
247 | SNMP payloads. In conjunction with NAT, it allows a network | |
1da177e4 LT |
248 | management system to access multiple private networks with |
249 | conflicting addresses. It works by modifying IP addresses | |
250 | inside SNMP payloads to match IP-layer NAT mapping. | |
251 | ||
252 | This is the "basic" form of SNMP-ALG, as described in RFC 2962 | |
253 | ||
254 | To compile it as a module, choose M here. If unsure, say N. | |
255 | ||
55a73324 JK |
256 | # If they want FTP, set to $CONFIG_IP_NF_NAT (m or y), |
257 | # or $CONFIG_IP_NF_FTP (m or y), whichever is weaker. | |
258 | # From kconfig-language.txt: | |
259 | # | |
260 | # <expr> '&&' <expr> (6) | |
261 | # | |
262 | # (6) Returns the result of min(/expr/, /expr/). | |
f09943fe PM |
263 | config NF_NAT_PROTO_GRE |
264 | tristate | |
265 | depends on NF_NAT && NF_CT_PROTO_GRE | |
266 | ||
55a73324 JK |
267 | config NF_NAT_FTP |
268 | tristate | |
269 | depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT | |
270 | default NF_NAT && NF_CONNTRACK_FTP | |
271 | ||
869f37d8 PM |
272 | config NF_NAT_IRC |
273 | tristate | |
274 | depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT | |
275 | default NF_NAT && NF_CONNTRACK_IRC | |
276 | ||
a536df35 PM |
277 | config NF_NAT_TFTP |
278 | tristate | |
279 | depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT | |
280 | default NF_NAT && NF_CONNTRACK_TFTP | |
281 | ||
16958900 PM |
282 | config NF_NAT_AMANDA |
283 | tristate | |
284 | depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT | |
285 | default NF_NAT && NF_CONNTRACK_AMANDA | |
286 | ||
f09943fe PM |
287 | config NF_NAT_PPTP |
288 | tristate | |
289 | depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT | |
290 | default NF_NAT && NF_CONNTRACK_PPTP | |
291 | select NF_NAT_PROTO_GRE | |
292 | ||
f587de0e PM |
293 | config NF_NAT_H323 |
294 | tristate | |
295 | depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT | |
296 | default NF_NAT && NF_CONNTRACK_H323 | |
297 | ||
9fafcd7b PM |
298 | config NF_NAT_SIP |
299 | tristate | |
300 | depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT | |
301 | default NF_NAT && NF_CONNTRACK_SIP | |
302 | ||
1da177e4 LT |
303 | # mangle + specific targets |
304 | config IP_NF_MANGLE | |
305 | tristate "Packet mangling" | |
306 | depends on IP_NF_IPTABLES | |
307 | help | |
308 | This option adds a `mangle' table to iptables: see the man page for | |
309 | iptables(8). This table is used for various packet alterations | |
310 | which can effect how the packet is routed. | |
311 | ||
312 | To compile it as a module, choose M here. If unsure, say N. | |
313 | ||
314 | config IP_NF_TARGET_TOS | |
315 | tristate "TOS target support" | |
316 | depends on IP_NF_MANGLE | |
317 | help | |
318 | This option adds a `TOS' target, which allows you to create rules in | |
319 | the `mangle' table which alter the Type Of Service field of an IP | |
320 | packet prior to routing. | |
321 | ||
322 | To compile it as a module, choose M here. If unsure, say N. | |
323 | ||
324 | config IP_NF_TARGET_ECN | |
325 | tristate "ECN target support" | |
326 | depends on IP_NF_MANGLE | |
327 | ---help--- | |
328 | This option adds a `ECN' target, which can be used in the iptables mangle | |
329 | table. | |
330 | ||
331 | You can use this target to remove the ECN bits from the IPv4 header of | |
332 | an IP packet. This is particularly useful, if you need to work around | |
333 | existing ECN blackholes on the internet, but don't want to disable | |
334 | ECN support in general. | |
335 | ||
336 | To compile it as a module, choose M here. If unsure, say N. | |
337 | ||
5f2c3b91 HW |
338 | config IP_NF_TARGET_TTL |
339 | tristate 'TTL target support' | |
340 | depends on IP_NF_MANGLE | |
341 | help | |
342 | This option adds a `TTL' target, which enables the user to modify | |
343 | the TTL value of the IP header. | |
344 | ||
345 | While it is safe to decrement/lower the TTL, this target also enables | |
346 | functionality to increment and set the TTL value of the IP header to | |
347 | arbitrary values. This is EXTREMELY DANGEROUS since you can easily | |
348 | create immortal packets that loop forever on the network. | |
349 | ||
350 | To compile it as a module, choose M here. If unsure, say N. | |
351 | ||
1da177e4 LT |
352 | config IP_NF_TARGET_CLUSTERIP |
353 | tristate "CLUSTERIP target support (EXPERIMENTAL)" | |
2b8f2ff6 | 354 | depends on IP_NF_MANGLE && EXPERIMENTAL |
587aa641 PM |
355 | depends on NF_CONNTRACK_IPV4 |
356 | select NF_CONNTRACK_MARK | |
1da177e4 LT |
357 | help |
358 | The CLUSTERIP target allows you to build load-balancing clusters of | |
359 | network servers without having a dedicated load-balancing | |
360 | router/server/switch. | |
361 | ||
362 | To compile it as a module, choose M here. If unsure, say N. | |
363 | ||
364 | # raw + specific targets | |
365 | config IP_NF_RAW | |
366 | tristate 'raw table support (required for NOTRACK/TRACE)' | |
367 | depends on IP_NF_IPTABLES | |
368 | help | |
369 | This option adds a `raw' table to iptables. This table is the very | |
370 | first in the netfilter framework and hooks in at the PREROUTING | |
371 | and OUTPUT chains. | |
372 | ||
373 | If you want to compile it as a module, say M here and read | |
374 | <file:Documentation/modules.txt>. If unsure, say `N'. | |
375 | ||
1da177e4 LT |
376 | # ARP tables |
377 | config IP_NF_ARPTABLES | |
378 | tristate "ARP tables support" | |
a3c941b0 | 379 | select NETFILTER_XTABLES |
1da177e4 LT |
380 | help |
381 | arptables is a general, extensible packet identification framework. | |
382 | The ARP packet filtering and mangling (manipulation)subsystems | |
383 | use this: say Y or M here if you want to use either of those. | |
384 | ||
385 | To compile it as a module, choose M here. If unsure, say N. | |
386 | ||
387 | config IP_NF_ARPFILTER | |
388 | tristate "ARP packet filtering" | |
389 | depends on IP_NF_ARPTABLES | |
390 | help | |
391 | ARP packet filtering defines a table `filter', which has a series of | |
392 | rules for simple ARP packet filtering at local input and | |
393 | local output. On a bridge, you can also specify filtering rules | |
394 | for forwarded ARP packets. See the man page for arptables(8). | |
395 | ||
396 | To compile it as a module, choose M here. If unsure, say N. | |
397 | ||
398 | config IP_NF_ARP_MANGLE | |
399 | tristate "ARP payload mangling" | |
400 | depends on IP_NF_ARPTABLES | |
401 | help | |
402 | Allows altering the ARP packet payload: source and destination | |
403 | hardware and network addresses. | |
404 | ||
405 | endmenu | |
406 |